We are using jboss 6.1.0 in our product. In security scan, we have seen that JSESSIONIDSSO cookie created by server is not having secure and httponly flag.
Please see attached screenshot. Actually we are trying to set all cookies's secure and httponly flag to true in valve. But what we can see after valve execution is completed and response comes to browser, we can see one more JSESSIONIDSSO in the response having httponly and secure flag false.